Query Details
Dism Linux Subsystem
Query
Tags:
Query:
DeviceProcessEvents
| where FileName contains "Dism.exe" or ProcessVersionInfoInternalFileName == @"dism" | where ProcessCommandLine contains "Subsystem"
Refernces:
Explanation
Sure! Here's a simple summary of the query:
This query is looking at events related to processes on devices. Specifically, it is searching for events where the process name is "Dism.exe" or the internal file name of the process is "dism". Additionally, it filters these results to only include events where the command line used to start the process contains the word "Subsystem".
Details
Ali Hussein
Released: September 24, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
DeviceProcessEventswherecontainsor==ProcessVersionInfoInternalFileNameProcessCommandLine